In most cases, a remote PIX that connects to a central PIX does not use
network address translation (NAT). Instead, the remote PIX uses a static
outside IP address. In an instance when a central PIX that runs 7.x and later
connects to a remote PIX using NAT, it is the same as a small home office such
as a PIX 501 or 506 connected to a cable or DSL modem using Dynamic Host
Control Protocol (DHCP). PIX 7.x and later and Cisco Adaptive Security Device
Manager (ASDM) do not run on a PIX 501 or 506. Therefore, for this example the
remote PIX with DHCP and NAT is presumed to be a PIX 501 or 506 that runs 6.x
code. This configuration enables the central PIX to accept dynamic IPsec
connections. The remote PIX uses NAT to join the privately addressed devices
behind it to the privately addressed network behind the central PIX. The remote
PIX can initiate connections to the central PIX (it knows the end-point), but
the central PIX cannot initiate connections to the remote PIX (it does not know
the endpoint).

In this sample configuration, Tiger is the remote PIX and Lion is the
central PIX. Since the IP address of Tiger is unknown, you must configure Lion
to dynamically accept connections from anywhere knowing the wild-card,
pre-shared key. Tiger knows what traffic is to be encrypted (because it is
specified by the access-list) and where the Lion endpoint is located. Tiger
must initiate the connection. Both sides perform NAT and nat 0 in order to
bypass NAT for IPsec traffic.

In addition, the remote user in this configuration connects to the
central PIX (Lion) using the Cisco VPN Client 4.x. The remote user cannot
connect to the remote PIX (Tiger) since both sides have dynamically assigned IP
addresses and do not know where to send the request.

The information in this document is based on these software and
hardware versions:

Cisco PIX Firewall Software Release 7.x and later (central PIX)

Cisco PIX Firewall Software Release 6.3.4 (remote PIX)

Cisco VPN Client Version 4.x

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

If the LAN-to-LAN (L2L) IPsec tunnel is not established, check whether
the pre-shared key for the DefaultRAGroup and the pre-shared key for the
DefaultL2LGroup are the same. If this is the case, then the PIX/ASA terminates
the tunnel on the DefaultRAGroup first and the L2L tunnel is then likely to
fail. Be certain that the pre-shared keys for the two default tunnel groups are
different.